CrowdStrike IT Outage: Wave of Business Interruption Claims Expected
Businesses, public services, and computer users across the world faced disruption last week as a result of the major CrowdStrike information technology (IT) outage, which is being coined by many as one of the largest and worst cyber events in recent history.
Many businesses that were taken offline are expected to have suffered heavy losses and the insurance industry is braced for a wave of claim notifications as policyholders look to recover their business interruption losses. Unusually, this cyber event was apparently not the result of a malicious attack but rather a technical fault. This alert looks at what happened, who might pay compensation, what insurance cover may be available, and what steps can be taken by policyholders to maximise insurance recoveries.
What Happened?
Reports of IT problems began to emerge late on Thursday, 18 July 2024, with many computer users complaining that they were experiencing the infamous blue-screen and error message indicating a system failure when attempting to boot up their computers.
The outage was caused by a faulty update that cybersecurity firm, CrowdStrike, made to its Falcon system, which is a piece of cloud-based software that allows CrowdStrike to remotely monitor and protect computer systems from cyberattacks and malware.
It is estimated that the outage affected 8.5 million devices and is likely to have broad economic and societal impacts as CrowdStrike’s Falcon system is used by many businesses that run services across the world (many hospitals, airlines, and rail companies suffered significant disruption).1 Whilst it is too early to accurately predict the cost of the outage to the global economy, the figure is expected to be high, with some suggesting the cost to insurers could surpass the US$1 billion mark.2
Who Might Pay Compensation?
CrowdStrike has admitted that the fault originated with them, and so they may be expected to take some responsibility, although their liability is likely to be determined by the terms and conditions agreed with customers.
As with any major cyber incident, many of the businesses that suffered interruption losses as a result of the outage are likely to turn to their insurance provider and seek to recover those losses under their insurance programme.
Will Policyholders be Able to Recover Losses?
Some policyholders may seek to recover under their property damage and business interruption insurance, given the main category of losses are likely to be for business interruption resulting from disruption to network systems, but insurers may take the position that these policies do not cover network-related risks. Many businesses will also have obtained some form of cyber-insurance policy so will need to consider to what extent that provides cover for losses arising from the CrowdStrike outage.
Cyber-insurance policies tend to provide coverage for both first-party losses and third-party liabilities arising out of cyber incidents such as network interruptions, data breaches, and ransomware attacks. First-party insurance covers the insured’s own losses, whereas third-party insurance covers the insured’s liability for losses suffered by customers, clients, and other parties resulting from a cyber incident.
The CrowdStrike outage may have resulted in both forms of loss, as businesses will have suffered their own losses from being unable to access their systems, including some well-known retail companies that were forced to revert to cash only payments. They may also have incurred IT forensic and remediation costs in trying to get their systems back up and running. Some businesses may face potential liabilities to third parties, particularly where the outage affected their ability to provide a contracted service, which could also result in brand or reputational damage.
Such losses and liabilities would normally result from some kind of malicious cyber event or attack, rather than a faulty update. However, some cyber-policies may offer broader cover, including for network interruption that has arisen due to non-malicious cyber events at a third-party network service provider. Policyholders will need to consider whether there are any limits in the cover provided, for example some policies only respond once the network has been interrupted for a defined waiting period (e.g., 12 hours).
What Steps Can be Taken to Maximise Insurance Cover?
The terms of cyber-insurance policies can vary enormously but there are steps that can be taken by policyholders to maximise insurance recoveries:
Prompt Notification to Insurers
Most cyber-policies provide for written notice to be given as soon as practicable, or within a specified time period, of any cyber-attack or incident which may impact the insurance cover. Prompt notification is beneficial and may facilitate access to third-party service providers, such as IT and forensic experts, who can assist with any network issues and advise on any remediation required.
Early Coverage Assessment
Consultation with experienced coverage lawyers will assist in identifying and analysing responsive policies and in anticipating any coverage issues insurers might raise. If insurers impose reservations of rights, or rely on coverage defences or policy exclusions, coverage counsel can often assist in combatting these arguments at an early stage.
Collate and Preserve Relevant Documents
Insurers (as well as third-party claimants) may request production of extensive documentation, and it is important to take steps early on to ensure potentially relevant documents are located and preserved.
Preparation of Proof of Loss
Insureds will need to demonstrate how the loss occurred, including the time of impact and extent of disruption, along with details of any financial losses incurred. Insureds should adopt a pro-active approach to collating this information and adhere to any deadlines imposed, requesting additional time where necessary.
Defence of Claims
If or to the extent that third-party claims are made, policyholders may benefit from appointing external legal counsel familiar with network and data related liability issues. Insureds should consider the policy requirements and negotiate with insurers to ensure that lawyers with adequate experience are appointed. Insureds may need to consider giving notice under additional forms of cover, such as professional liability insurance, particularly if the network interruption may have adversely affected the quality of client services.
Conclusion
Policyholders may be able to recover business interruption and other losses arising from the CrowdStrike outage under their cyber-insurance policy, but they will need to carefully review the terms of the policy to understand to what extent they are covered for this type of non-malicious event. Policyholders should act promptly in giving notice under any cyber or other potentially responsive policies.
K&L Gates’ Insurance Recovery and Counseling practice regularly assists policyholders in assessing coverage for cyber-related incidents and in maximizing insurance recoveries at an early stage, often working closely with lawyers from our Data Protection, Privacy, and Security and Cybersecurity and Privacy practice groups.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.